client/local, ipn/localapi, all: add CertDomains and DNSConfig accessors

Add two narrow LocalAPI accessors so callers don't have to subscribe to
the IPN bus and pull a full *netmap.NetworkMap just to read DNS-shaped
fields:

  - GET /localapi/v0/cert-domains returns DNS.CertDomains.
  - GET /localapi/v0/dns-config returns the full tailcfg.DNSConfig.

Migrate in-tree callers off the netmap-on-the-bus pattern:

  - kube/certs.waitForCertDomain still wakes on the IPN bus but now
    queries CertDomains via LocalClient.CertDomains rather than
    reading n.NetMap.DNS.CertDomains. The kube LocalClient interface
    and FakeLocalClient gain a CertDomains method.
  - cmd/tailscale dns status calls LocalClient.DNSConfig directly
    instead of opening a NotifyInitialNetMap watcher.
  - cmd/tailscale configure kubeconfig switches from a netmap watcher
    + serviceDNSRecordFromNetMap to LocalClient.DNSConfig +
    serviceDNSRecordFromDNSConfig.

This is part of a series moving callers away from depending on the
netmap traveling on the IPN bus, so the bus payload can shrink in a
later change.

Updates #12542

Change-Id: Ie10204e141d085fbac183b4cfe497226b670ad6c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

cmd/tailscale/cli/configure-kube.go

@@ -20,10 +20,8 @@ import (
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"k8s.io/client-go/util/homedir"
 	"sigs.k8s.io/yaml"
-	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/netmap"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/version"
 )
@@ -98,12 +96,12 @@ func runConfigureKubeconfig(ctx context.Context, args []string) error {
 	if st.BackendState != "Running" {
 		return errors.New("Tailscale is not running")
 	}
-	nm, err := getNetMap(ctx)
+	dnsCfg, err := getDNSConfig(ctx)
 	if err != nil {
 		return err
 	}
 
-	targetFQDN, err := nodeOrServiceDNSNameFromArg(st, nm, hostOrFQDNOrIP)
+	targetFQDN, err := nodeOrServiceDNSNameFromArg(st, dnsCfg, hostOrFQDNOrIP)
 	if err != nil {
 		return err
 	}
@@ -240,14 +238,14 @@ func setKubeconfigForPeer(scheme, fqdn, filePath string) error {
 // nodeOrServiceDNSNameFromArg returns the PeerStatus.DNSName value from a peer
 // in st that matches the input arg which can be a base name, full DNS name, or
 // an IP. If none is found, it looks for a Tailscale Service
-func nodeOrServiceDNSNameFromArg(st *ipnstate.Status, nm *netmap.NetworkMap, arg string) (string, error) {
+func nodeOrServiceDNSNameFromArg(st *ipnstate.Status, dns *tailcfg.DNSConfig, arg string) (string, error) {
 	// First check for a node DNS name.
 	if dnsName, ok := nodeDNSNameFromArg(st, arg); ok {
 		return dnsName, nil
 	}
 
 	// If not found, check for a Tailscale Service DNS name.
-	rec, ok := serviceDNSRecordFromNetMap(nm, arg)
+	rec, ok := serviceDNSRecordFromDNSConfig(dns, arg)
 	if !ok {
 		return "", fmt.Errorf("no peer found for %q", arg)
 	}
@@ -269,25 +267,13 @@ func nodeOrServiceDNSNameFromArg(st *ipnstate.Status, nm *netmap.NetworkMap, arg
 	return "", fmt.Errorf("%q is in MagicDNS, but is not currently reachable on any known peer", arg)
 }
 
-func getNetMap(ctx context.Context) (*netmap.NetworkMap, error) {
+func getDNSConfig(ctx context.Context) (*tailcfg.DNSConfig, error) {
 	ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
 	defer cancel()
-
-	watcher, err := localClient.WatchIPNBus(ctx, ipn.NotifyInitialNetMap)
-	if err != nil {
-		return nil, err
-	}
-	defer watcher.Close()
-
-	n, err := watcher.Next()
-	if err != nil {
-		return nil, err
-	}
-
-	return n.NetMap, nil
+	return localClient.DNSConfig(ctx)
 }
 
-func serviceDNSRecordFromNetMap(nm *netmap.NetworkMap, arg string) (rec tailcfg.DNSRecord, ok bool) {
+func serviceDNSRecordFromDNSConfig(dns *tailcfg.DNSConfig, arg string) (rec tailcfg.DNSRecord, ok bool) {
 	argIP, _ := netip.ParseAddr(arg)
 	argFQDN, err := dnsname.ToFQDN(arg)
 	argFQDNValid := err == nil
@@ -295,7 +281,7 @@ func serviceDNSRecordFromNetMap(nm *netmap.NetworkMap, arg string) (rec tailcfg.
 		return rec, false
 	}
 
-	for _, rec := range nm.DNS.ExtraRecords {
+	for _, rec := range dns.ExtraRecords {
 		if argIP.IsValid() {
 			recIP, _ := netip.ParseAddr(rec.Value)
 			if recIP == argIP {

cmd/tailscale/cli/dns-status.go

@@ -14,9 +14,7 @@ import (
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"tailscale.com/cmd/tailscale/cli/jsonoutput"
-	"tailscale.com/ipn"
 	"tailscale.com/types/dnstype"
-	"tailscale.com/types/netmap"
 )
 
 var dnsStatusCmd = &ffcli.Command{
@@ -120,11 +118,10 @@ func runDNSStatus(ctx context.Context, args []string) error {
 			SelfDNSName:     s.Self.DNSName,
 		}
 
-		netMap, err := fetchNetMap()
+		dnsConfig, err := localClient.DNSConfig(ctx)
 		if err != nil {
-			return fmt.Errorf("failed to fetch network map: %w", err)
+			return fmt.Errorf("failed to fetch DNS config: %w", err)
 		}
-		dnsConfig := netMap.DNS
 
 		for _, r := range dnsConfig.Resolvers {
 			data.Resolvers = append(data.Resolvers, makeDNSResolverInfo(r))
@@ -357,19 +354,3 @@ func formatDNSStatusText(data *jsonoutput.DNSStatusResult, all bool) string {
 	fmt.Fprintf(&sb, "[this is a preliminary version of this command; the output format may change in the future]\n")
 	return sb.String()
 }
-
-func fetchNetMap() (netMap *netmap.NetworkMap, err error) {
-	w, err := localClient.WatchIPNBus(context.Background(), ipn.NotifyInitialNetMap)
-	if err != nil {
-		return nil, err
-	}
-	defer w.Close()
-	notify, err := w.Next()
-	if err != nil {
-		return nil, err
-	}
-	if notify.NetMap == nil {
-		return nil, fmt.Errorf("no network map yet available, please try again later")
-	}
-	return notify.NetMap, nil
-}